EP2819049A1 - Device with capacitive security shield - Google Patents
Device with capacitive security shield Download PDFInfo
- Publication number
- EP2819049A1 EP2819049A1 EP13174078.9A EP13174078A EP2819049A1 EP 2819049 A1 EP2819049 A1 EP 2819049A1 EP 13174078 A EP13174078 A EP 13174078A EP 2819049 A1 EP2819049 A1 EP 2819049A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- electrodes
- chip
- particles
- capacitance characteristic
- capacitance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/86—Secure or tamper-resistant housings
- G06F21/87—Secure or tamper-resistant housings by means of encapsulation, e.g. for integrated circuits
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/77—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in smart cards
-
- G—PHYSICS
- G09—EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
- G09C—CIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
- G09C1/00—Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
-
- H—ELECTRICITY
- H01—ELECTRIC ELEMENTS
- H01L—SEMICONDUCTOR DEVICES NOT COVERED BY CLASS H10
- H01L23/00—Details of semiconductor or other solid state devices
- H01L23/57—Protection from inspection, reverse engineering or tampering
- H01L23/576—Protection from inspection, reverse engineering or tampering using active circuits
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3278—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response using physically unclonable functions [PUF]
-
- H—ELECTRICITY
- H01—ELECTRIC ELEMENTS
- H01L—SEMICONDUCTOR DEVICES NOT COVERED BY CLASS H10
- H01L2924/00—Indexing scheme for arrangements or methods for connecting or disconnecting semiconductor or solid-state bodies as covered by H01L24/00
- H01L2924/0001—Technical content checked by a classifier
- H01L2924/0002—Not covered by any one of groups H01L24/00, H01L24/00 and H01L2224/00
Definitions
- This invention relates to devices which incorporate a capacitive security shield.
- This shield can implement a so-called physically unclonable function (“PUF”) based on the capacitance value.
- PAF physically unclonable function
- Integrated circuits (ICs) for applications such as smartcards, RFID tags, Pay-TV chips and similar devices often contain a secret security key and carry out secret functions.
- the IC needs to be secure against attacks from the outside which aim at retrieving data from them.
- ICs may be subjected to both front-side as well as back-side attacks.
- the "front-side” of a semiconductor device is defined as the side of the semiconductor device on which circuitry is provided.
- the "backside” of the semiconductor device is defined as the side opposite to the front-side.
- Front-side attacks may consist of opening of packaged chips, and recording electrical signals from the chip with external probes.
- Back-side attacks may consist of various analysis techniques such as photon emission detection, thermal infrared detection, liquid crystal detection, voltage or electric field detection, and electromagnetic detection methods.
- PUFs Physical Unclonable Functions
- a PUF is a function that is embodied in a physical structure that is easy to evaluate but hard to characterize.
- the physical structure that contains the PUF consists of at least one random component. This random component is introduced during the manufacturing process and cannot be easily controlled.
- PUFs are described for use as a hash function and for authentication purposes. Because through PUFs the key-like data is stored essentially in a material rather than in a circuit, the technology can also be used as part of a device that needs authentication, such as a tamper detection sensor.
- PUFs Physical Uplink UDFs
- PUF' s unique identifiers for smartcards (fingerprinting) and credit cards or as a 'cheap' source for key generation (common randomness) between two parties based on the very useful properties of PUFs of the uniqueness of the responses and unclonability of the PUF.
- An important aspect of a physical structure for a PUF is that its physical properties are such that an electric property, such as a capacitance or a resistance, can be derived from it which is not (easily) reproducible. This means that the respective electrical property behaves stochastically, i.e. varies within a single semiconductor device (having multiple physical structures), varies within a single batch of semiconductor devices, and varies between multiple batches.
- a semiconductor device comprising a capacitive security shield, the capacitive security shield comprising:
- This arrangement provides multiple capacitance measurements for different electrode configurations. This increases the random nature of the capacitance function and renders cloning even more difficult.
- the second set can comprise electrodes which are grounded, and/or floating, and/or applied with a modulation voltage.
- the second set of electrodes can be divided into sub-sets, with some grounded, some floating and some modulated.
- the second set of electrodes can all be the same or they can be divided into two or more of these sub-sets.
- the second set can be considered to be a counter electrode set, although there may be other conducting bodies which also contribute to the counter electrode function.
- the first set comprises electrodes which are applied with a modulation voltage for their capacitance measurement.
- a modulation voltage is applied to electrodes of the second set, the same modulation frequency and phase can be used, or the same modulation frequency and opposite phase. In general, any phase can be used. To increase randomness or entropy, reproducible random phases can be selected.
- the device can comprise a memory which stores a sequence of different configurations of the electrodes. This memory information is used to define how the capacitance measurement is to take place.
- the memory can be part of the device which is protected by the CSS.
- the electrodes can have an area of 100 ⁇ m 2 or less. Small electrodes are able to detect small changes in the electrode capacitances induced by small external active probe devices.
- the array of electrodes may have tens to thousands of electrodes.
- the electrode array is typically a regular array of electrodes, whereas the particles are randomly distributed by the manufacturing process.
- the particles can for example have a maximum linear dimension of less than 30 ⁇ m.
- the device can be used in a smart card or an RFID tag.
- the invention also provides a method of extracting data from a semiconductor device which comprises a structure for use in a physically unclonable function, wherein the structure comprises a set of randomly distributed dielectric or conducting particles formed within a dielectric layer and a set of electrodes formed in a layer over which the set of particles are formed, wherein the method comprises:
- the invention provides a semiconductor device comprising a CSS structure which uses a set of randomly distributed dielectric or conducting particles formed within a dielectric layer.
- a set of electrodes can be configured as at least two sets, wherein a first set is used to measure a capacitance characteristic, and a second set is configured as a counter electrode set.
- the electrode configuration can be altered so that multiple measurements can be obtained.
- the invention is based on a set of single-electrode fringe capacitors that are spread over the chip area (in particular over parts that need to be protected against attacks).
- Each capacitor senses its local environment by measuring the spreading capacitance between its electrode plate and all objects and materials that are within the electric field lines emerging from the electrode plate.
- Figure 1 shows a layer 10 of electrodes over which a dielectric layer 12 is formed, in which randomly dispersed particles 14 are embedded.
- the layer 10 can be the top metallization layer of an IC, and there is an independent connection to each electrode, which then routes to processing circuitry within the IC.
- Figure 1 shows schematically field lines formed, although electric field lines through the bottom layer are omitted.
- the electrodes are divided into two sets.
- the first set comprises active electrodes 16.
- the second set comprises counter electrodes, and some of these are grounded 18 and others are floating 20.
- Figure 1 shows a cross-section through the electrodes.
- the dimensions of the electrodes in the direction perpendicular to the plane of the drawing are comparable to their dimensions in the plane, so that the electrodes are for example generally round or square in plan view.
- the chip is covered by a dielectric layer in which conducting particles with irregular shapes are distributed randomly. If an attacker removes part of the dielectric layer, or removes, damages or displaces one or more conducting particles, then the capacitances of active electrodes in the proximity of the attacked location changes. This change is also sensed if the removal or displacement of material was done before the chip is powered on.
- a sub-set of the electrodes is selected (the first set of active electrodes) to measure their capacitive response.
- a capacitance typically is measured by repetitively charging and discharging the electrode's capacitance, e.g. with a logic gate as switching element, and measuring the average charge/discharge current.
- the gate's dynamic power dissipation is proportional to the sum of the electrode capacitor and the gate's parasitic capacitance.
- the remaining non-selected electrodes are connected in a particular connection pattern to from a collective distributed counter electrode, where the electric field lines emerging from the active electrodes terminate. Field lines can also terminal on other conductors in the vicinity.
- a first sub-set can be grounded, a second sub-set can be floating, a third sub-set can be connected to a modulation voltage with the same frequency and phase as that on the active electrodes, and a fourth sub-set can be connected to a modulation voltage with the same frequency but opposite phase as that on the active electrodes.
- all electrodes of the second set can be the same - e.g. all grounded or all floating.
- the division of the counter electrodes (the second set) can be more complex as desired. There may even be more than the four sub-sets identified above.
- connection patterns can be created by removing, adding or modifying sub-sets of active or counter electrodes.
- a particular configuration of active and counter electrodes is referred to as a physical connection pattern.
- Figure 2 shows an example of four (1 to 4) subsequent physical connection patterns of a full scan (showing a top view of part of the chip).
- the active electrodes 30 are shown with one fill pattern (these are the first set).
- the grounded counter electrodes 32 are shown with another fill pattern (these are the first sub-set of the second set) and floating counter electrodes 34 are shown with a different fill pattern (these are the second sub-set of the second set).
- the irregularly shaped forms are the conductive (or dielectric) particles.
- a full scan over the entire chip surface can be implemented by repeating a number of capacitance measurements for a set of alternative physical connection patterns.
- Figure 2 shows an example of 4 possible physical connection patterns of a full scan, i.e. 4 measurement phases.
- the number of measurement phases needed will depend on the required randomness of the measurement, on the chip area, and on the amount of parallelism in the processing of the measurements. More parallelism gives a faster scan, but requires more hardware resources on the chip.
- pairs of electrodes of a chip with 1,000 - 10,000 electrodes are compared sequentially in differential measurements, there can be 500 - 5,000 measurement phases. More realistic cases may have tens to hundreds of phases. For very accurate measurement on highly secure chips more phases can be used by reconfiguring the states of non-selected electrodes. The number of phases is also dependent on the total time available for tampering detection.
- the electrodes are made small enough then their capacitances will be less than the typical spreading capacitance of a metal probe tip that is put close enough above the dielectric layer to be able to sense electric potentials on the chip. So if someone tries to detect the electrical signal pattern produced by the active electrodes or by another circuit on the chip that is protected by the CSS by, e.g., placing a microscopic metallic tip just above the protected chip surface, then this is sensed as a change in the capacitances of the active electrodes in proximity to that tip.
- the electrode size can be a square of 1 to 5 ⁇ m side, a circle of similar diameter, or lines with similar area.
- the area is generally below 100 ⁇ m 2 so that a capacitance change which results from a small external probe can be detected.
- the particles can have largest linear dimension of 0.3 to 30 ⁇ m. The particle size and the particle density are chosen together to obtain the desired sensitivity of the capacitance function.
- the time required for a capacitance measurement depends on the noise, and on the cross-talk from other signals on the chip. It also depends on the required sensitivity of the capacitance measurement. A duration of 0.03ms - 3 ms can be required for a single capacitance measurement.
- any attempt to detect signals emerging from the chip with external probes can be detected by the chip before the attacker is able to detect the signals emerging from the chip.
- the chip can be halted or powered down, so that the attacker cannot accumulate information with long-lasting measurements.
- an attacker may be able to reveal a fixed sequence of physical connection patterns by investigating some chips (e.g. by reverse engineering), and then use that information to perform a prepared attack on another chip.
- This can be prevented by mapping a fixed sequence of logical addresses into a chip-specific sequence of physical connection patterns, e.g., with an on-chip SRAM PUF or similar.
- each chip will have its own unique sequence of physical connection patterns. In this way it is not possible to use prior information about physical connection patterns, and their relation to the logical addresses, acquired from another chip in a prepared attack.
- the SRAM PUF itself can be protected by the above CSS as well.
- the response pattern of each protected chip has to be read out in a secure terminal and stored in a database.
- Part of the database may be stored off-chip (e.g. when it is used for authentication), and part may be stored in a nonvolatile on-chip memory (when it is used for protection against attacks). This can be done by supplying a sequence of logical addresses (in case of PUFs usually called "challenges") and recording the corresponding capacitance values read from the sequence of active capacitor.
- the arrangement can use electrodes buried under a scratch protection layer or other top layer.
- a Flash or EEPROM memory can be used for the local database; with the memory protected by the CSS itself.
- Figure 3 shows a possible use of the device of the invention.
- the IC comprises the embedded memory 50, the main IC to be protected 52 and the CSS structure.
- sets of values representing the expected evaluation result of the CSS 54 are stored in the chip's internal non-volatile memory 50.
- An attempt to remove the passivation layer for example in case of reverse engineering of the chip, will irreversibly damage the CSS (i.e. the random structure of particles) and the evaluation result of the CSS will permanently deviate from the expected result.
- the chip can evaluate the CSS by the capacitance sensing and compare the evaluation result with the set of reference values in order to determine whether or not the passivation layer has been removed.
- the change can be detected by the chip autonomously in a relatively easy way.
- the CSS of the invention using randomly distributed conducting particles in the passivation layer of the chip, protects the surface of the chip in combination with a relatively easy detection scheme.
- a logical address of the embedded non volatile memory 50 is accessed. This defines the configuration pattern.
- the pattern is implemented by the integrated circuit 52 (which thus functions as the controller).
- the set of capacitance measurements are obtained from the protection CSS 54 based on a challenge and response.
- the sensed data is output is then verified based on the stored data (or else it can be verified externally).
- the electrodes are typically electrodes 5 - 25 ⁇ m apart, depending on their size and shape, and on the required sensitivity.
- all logic area and memory peripherals e.g. address decoders
- the CSS e.g. address decoders
- other circuits can be protected as well.
- the memory content typically is encrypted, and therefore doesn't necessarily need to be protected by the CSS, but it may be beneficial to protect address decoders, etc.
- the invention is of interest for encryption functions, as well as to protect a semiconductor device against tampering, i.e. attempts to obtain data stored in the semiconductor device, for example a smartcard or an RFID tag. Especially, when there is an encryption key stored in the semiconductor device a hacker may want to try to find the key in order to obtain the valid data.
- the physical structure in accordance with the invention may be advantageously applied (i.e. deposited) on top of an interconnect stack of a semiconductor device comprising an electronic circuit with secure data. Then, while trying to access the semiconductor device from the front-side the capacitance value is changed which affects the encryption key extracted . In other words, it has become very difficult to find the valid data stored in the semiconductor device.
- the invention may be applied in various application areas.
- the invention may be applied in data security for smartcards, RFID tags, Pay-TV chips, and such like.
- Such chips often contain a secret security key (encryption key) and carry out secret functions.
- the encryption key may be advantageously extracted from the physical structure in the semiconductor device in accordance with the invention.
- the invention may also be used for securing communication with, for example, a mobile phone by an internal secure key. This may then be instead of identification via the SIM card which can easily be copied.
- the protected semiconductor device can take any known form.
Abstract
Description
- This invention relates to devices which incorporate a capacitive security shield. This shield can implement a so-called physically unclonable function ("PUF") based on the capacitance value.
- Integrated circuits (ICs) for applications such as smartcards, RFID tags, Pay-TV chips and similar devices often contain a secret security key and carry out secret functions. The IC needs to be secure against attacks from the outside which aim at retrieving data from them.
- ICs may be subjected to both front-side as well as back-side attacks. The "front-side" of a semiconductor device is defined as the side of the semiconductor device on which circuitry is provided. Likewise, the "backside" of the semiconductor device is defined as the side opposite to the front-side.
- Front-side attacks may consist of opening of packaged chips, and recording electrical signals from the chip with external probes. Back-side attacks may consist of various analysis techniques such as photon emission detection, thermal infrared detection, liquid crystal detection, voltage or electric field detection, and electromagnetic detection methods.
- Often these methods are used in combination with invasive attacks such as wafer thinning, laser cutting and heating, focused ion beam (FIB) techniques. Also light or laser flash methods are used from the back-side in order to force signals to flip.
- To counteract these attacks, various kinds of tamper protection schemes have been reported, both for front-side as well as back-side.
- Tamper protection schemes become stronger when they are combined with cryptography. So-called Physical Unclonable Functions (PUFs) were introduced by Pappu et. al. in "Physical One-Way Functions", MIT, March 2001. This disclosure presented a PUF as a cost-effective way of generating secure keys for cryptographic purposes.
- A PUF is a function that is embodied in a physical structure that is easy to evaluate but hard to characterize. The physical structure that contains the PUF consists of at least one random component. This random component is introduced during the manufacturing process and cannot be easily controlled. PUFs are described for use as a hash function and for authentication purposes. Because through PUFs the key-like data is stored essentially in a material rather than in a circuit, the technology can also be used as part of a device that needs authentication, such as a tamper detection sensor.
- Many further developments focus on developing different types of PUFs. The application of PUFs focuses on using PUF' s as unique identifiers for smartcards (fingerprinting) and credit cards or as a 'cheap' source for key generation (common randomness) between two parties based on the very useful properties of PUFs of the uniqueness of the responses and unclonability of the PUF.
- An important aspect of a physical structure for a PUF is that its physical properties are such that an electric property, such as a capacitance or a resistance, can be derived from it which is not (easily) reproducible. This means that the respective electrical property behaves stochastically, i.e. varies within a single semiconductor device (having multiple physical structures), varies within a single batch of semiconductor devices, and varies between multiple batches.
- The larger the variation of the respective electrical property the more information is contained in the PUF.
- A problem with the known PUFs is that the variation of the respective electrical property is limited.
- The invention is defined by the claims.
- According to the invention, there is provided a semiconductor device comprising a capacitive security shield, the capacitive security shield comprising:
- a set of randomly distributed dielectric or conducting particles formed within a dielectric layer;
- a set of electrodes formed in a layer over which the set of particles are formed; and
- a controller,
- This arrangement provides multiple capacitance measurements for different electrode configurations. This increases the random nature of the capacitance function and renders cloning even more difficult.
- The second set can comprise electrodes which are grounded, and/or floating, and/or applied with a modulation voltage. Thus, the second set of electrodes can be divided into sub-sets, with some grounded, some floating and some modulated. The second set of electrodes can all be the same or they can be divided into two or more of these sub-sets. The second set can be considered to be a counter electrode set, although there may be other conducting bodies which also contribute to the counter electrode function.
- The first set comprises electrodes which are applied with a modulation voltage for their capacitance measurement. When a modulation voltage is applied to electrodes of the second set, the same modulation frequency and phase can be used, or the same modulation frequency and opposite phase. In general, any phase can be used. To increase randomness or entropy, reproducible random phases can be selected.
- The device can comprise a memory which stores a sequence of different configurations of the electrodes. This memory information is used to define how the capacitance measurement is to take place. The memory can be part of the device which is protected by the CSS.
- In one set of non-limiting examples, the electrodes can have an area of 100 µm2 or less. Small electrodes are able to detect small changes in the electrode capacitances induced by small external active probe devices.
- The array of electrodes may have tens to thousands of electrodes. The electrode array is typically a regular array of electrodes, whereas the particles are randomly distributed by the manufacturing process. The particles can for example have a maximum linear dimension of less than 30µm.
- The device can be used in a smart card or an RFID tag.
- The invention also provides a method of extracting data from a semiconductor device which comprises a structure for use in a physically unclonable function, wherein the structure comprises a set of randomly distributed dielectric or conducting particles formed within a dielectric layer and a set of electrodes formed in a layer over which the set of particles are formed,
wherein the method comprises: - configuring the electrodes as at least two sets;
- measuring a capacitance characteristic using the first set, with the second set configured as a counter electrode set;
- reconfiguring the electrodes as a different combination of at least two sets;
- measuring a reconfigured capacitance characteristic using the first set with the second set configured as a counter electrode set.
- An example of the invention will now be described in detail with reference to the accompanying drawings, in which:
-
Figure 1 shows a device of the invention; -
Figure 2 shows how the device is reconfigured into different configurations for multiple measurements; and -
Figure 3 shows an example of how the device is used. - The invention provides a semiconductor device comprising a CSS structure which uses a set of randomly distributed dielectric or conducting particles formed within a dielectric layer. A set of electrodes can be configured as at least two sets, wherein a first set is used to measure a capacitance characteristic, and a second set is configured as a counter electrode set. The electrode configuration can be altered so that multiple measurements can be obtained.
- In this way, the invention is based on a set of single-electrode fringe capacitors that are spread over the chip area (in particular over parts that need to be protected against attacks). Each capacitor senses its local environment by measuring the spreading capacitance between its electrode plate and all objects and materials that are within the electric field lines emerging from the electrode plate.
-
Figure 1 shows alayer 10 of electrodes over which adielectric layer 12 is formed, in which randomly dispersedparticles 14 are embedded. - The
layer 10 can be the top metallization layer of an IC, and there is an independent connection to each electrode, which then routes to processing circuitry within the IC. -
Figure 1 shows schematically field lines formed, although electric field lines through the bottom layer are omitted. - The electrodes are divided into two sets. The first set comprises
active electrodes 16. The second set comprises counter electrodes, and some of these are grounded 18 and others are floating 20. -
Figure 1 shows a cross-section through the electrodes. The dimensions of the electrodes in the direction perpendicular to the plane of the drawing are comparable to their dimensions in the plane, so that the electrodes are for example generally round or square in plan view. - In this example only grounded and floating counter electrodes are used. Only a single row of electrodes can be seen, but in practice a two dimensional array of electrodes is used.
- In the example of
Figure 1 , the chip is covered by a dielectric layer in which conducting particles with irregular shapes are distributed randomly. If an attacker removes part of the dielectric layer, or removes, damages or displaces one or more conducting particles, then the capacitances of active electrodes in the proximity of the attacked location changes. This change is also sensed if the removal or displacement of material was done before the chip is powered on. - Examples of the particles are:
- Irregularly shaped conductive particles like flakes of metal, semiconductor, graphene, etc.; or
- Irregularly shaped dielectric particles with a dielectric constant that differs from that of the
dielectric layer 12 in which they are embedded. - When the chip receives a supply of power, a sub-set of the electrodes is selected (the first set of active electrodes) to measure their capacitive response.
- The capacitances of all active electrodes are measured separately. A capacitance typically is measured by repetitively charging and discharging the electrode's capacitance, e.g. with a logic gate as switching element, and measuring the average charge/discharge current. In the case of a logic gate switching element, the gate's dynamic power dissipation is proportional to the sum of the electrode capacitor and the gate's parasitic capacitance.
- The remaining non-selected electrodes (the second set of counter electrodes) are connected in a particular connection pattern to from a collective distributed counter electrode, where the electric field lines emerging from the active electrodes terminate. Field lines can also terminal on other conductors in the vicinity. Of these counter electrodes a first sub-set can be grounded, a second sub-set can be floating, a third sub-set can be connected to a modulation voltage with the same frequency and phase as that on the active electrodes, and a fourth sub-set can be connected to a modulation voltage with the same frequency but opposite phase as that on the active electrodes.
- This defines an approach with four sub-sets. However, in a simplest implementation, all electrodes of the second set can be the same - e.g. all grounded or all floating. The division of the counter electrodes (the second set) can be more complex as desired. There may even be more than the four sub-sets identified above.
- Thus, different connection patterns can be created by removing, adding or modifying sub-sets of active or counter electrodes.
- In the description below, a particular configuration of active and counter electrodes is referred to as a physical connection pattern.
-
Figure 2 shows an example of four (1 to 4) subsequent physical connection patterns of a full scan (showing a top view of part of the chip). - The
active electrodes 30 are shown with one fill pattern (these are the first set). The groundedcounter electrodes 32 are shown with another fill pattern (these are the first sub-set of the second set) and floatingcounter electrodes 34 are shown with a different fill pattern (these are the second sub-set of the second set). The irregularly shaped forms are the conductive (or dielectric) particles. - Only one of each type of electrode is referenced, but all electrodes of the same type are shown with the same fill pattern.
- A full scan over the entire chip surface can be implemented by repeating a number of capacitance measurements for a set of alternative physical connection patterns. In the simplest version, there are two measurement phases. Between the measurement phases, some of the previously non-selected electrodes are made active, and some or all of the previously active electrodes are added to the sub-sets of grounded, floating, etc. counter electrodes.
- In this way, a sequence of different physical connection patterns can be created and measured.
Figure 2 shows an example of 4 possible physical connection patterns of a full scan, i.e. 4 measurement phases. - The number of measurement phases needed will depend on the required randomness of the measurement, on the chip area, and on the amount of parallelism in the processing of the measurements. More parallelism gives a faster scan, but requires more hardware resources on the chip.
- In an extreme case, where pairs of electrodes of a chip with 1,000 - 10,000 electrodes are compared sequentially in differential measurements, there can be 500 - 5,000 measurement phases. More realistic cases may have tens to hundreds of phases. For very accurate measurement on highly secure chips more phases can be used by reconfiguring the states of non-selected electrodes. The number of phases is also dependent on the total time available for tampering detection.
- Because each individual chip is covered with a different unique pattern of particles, a given sequence of physical connection patterns will produce a unique sequence of measured capacitance values for each different chip. This makes it very hard to use information gathered about the distribution of particles in one particular chip to predict measured capacitances on another chip.
- If the electrodes are made small enough then their capacitances will be less than the typical spreading capacitance of a metal probe tip that is put close enough above the dielectric layer to be able to sense electric potentials on the chip. So if someone tries to detect the electrical signal pattern produced by the active electrodes or by another circuit on the chip that is protected by the CSS by, e.g., placing a microscopic metallic tip just above the protected chip surface, then this is sensed as a change in the capacitances of the active electrodes in proximity to that tip.
- By way of example, the electrode size can be a square of 1 to 5µm side, a circle of similar diameter, or lines with similar area. The area is generally below 100µm2 so that a capacitance change which results from a small external probe can be detected. The particles can have largest linear dimension of 0.3 to 30µm. The particle size and the particle density are chosen together to obtain the desired sensitivity of the capacitance function.
- With active electric field probes, consisting of microscopic metallic tips immediately connected to local active readout electronics, it may still be possible to detect very small electric fringe fields emerging from the chip. However, for sufficient signal-to-noise ratio this typically requires long integration times. Therefore, by using very high modulation frequencies to quickly measure the capacitances of the active electrodes this way of attack is made very hard or even impossible because the on-chip capacitance measurements can be done so fast that the external active probe cannot achieve the required signal-to-noise ratio within the time that a particular physical connection pattern is present.
- The time required for a capacitance measurement depends on the noise, and on the cross-talk from other signals on the chip. It also depends on the required sensitivity of the capacitance measurement. A duration of 0.03ms - 3 ms can be required for a single capacitance measurement.
- With a combination of small electrodes and fast high-frequency measurements, any attempt to detect signals emerging from the chip with external probes can be detected by the chip before the attacker is able to detect the signals emerging from the chip. In case such an attack is detected the chip can be halted or powered down, so that the attacker cannot accumulate information with long-lasting measurements.
- Nevertheless, an attacker may be able to reveal a fixed sequence of physical connection patterns by investigating some chips (e.g. by reverse engineering), and then use that information to perform a prepared attack on another chip. This can be prevented by mapping a fixed sequence of logical addresses into a chip-specific sequence of physical connection patterns, e.g., with an on-chip SRAM PUF or similar. As a result, each chip will have its own unique sequence of physical connection patterns. In this way it is not possible to use prior information about physical connection patterns, and their relation to the logical addresses, acquired from another chip in a prepared attack.
- To avoid the mapping by the SRAM PUF being reverse engineered the SRAM PUF itself can be protected by the above CSS as well.
- After production, the response pattern of each protected chip has to be read out in a secure terminal and stored in a database. Part of the database may be stored off-chip (e.g. when it is used for authentication), and part may be stored in a nonvolatile on-chip memory (when it is used for protection against attacks). This can be done by supplying a sequence of logical addresses (in case of PUFs usually called "challenges") and recording the corresponding capacitance values read from the sequence of active capacitor.
- The arrangement can use electrodes buried under a scratch protection layer or other top layer. A Flash or EEPROM memory can be used for the local database; with the memory protected by the CSS itself.
-
Figure 3 shows a possible use of the device of the invention. - The IC comprises the embedded
memory 50, the main IC to be protected 52 and the CSS structure. - During production of the chip, sets of values representing the expected evaluation result of the
CSS 54 are stored in the chip's internalnon-volatile memory 50. An attempt to remove the passivation layer, for example in case of reverse engineering of the chip, will irreversibly damage the CSS (i.e. the random structure of particles) and the evaluation result of the CSS will permanently deviate from the expected result. - Thus, the chip can evaluate the CSS by the capacitance sensing and compare the evaluation result with the set of reference values in order to determine whether or not the passivation layer has been removed.
- If the passivation layer is removed and/or replaced, the change can be detected by the chip autonomously in a relatively easy way. The CSS of the invention, using randomly distributed conducting particles in the passivation layer of the chip, protects the surface of the chip in combination with a relatively easy detection scheme.
- By using a mapping of logical address to physical electrode configuration, a unique fingerprint is provided for each chip, so that reverse engineering from a non-functional chip cannot be used to tamper another still functional chip.
- In order to use the chip, a logical address of the embedded non
volatile memory 50 is accessed. This defines the configuration pattern. The pattern is implemented by the integrated circuit 52 (which thus functions as the controller). For the pattern, the set of capacitance measurements are obtained from theprotection CSS 54 based on a challenge and response. - The sensed data is output is then verified based on the stored data (or else it can be verified externally).
- The electrodes are typically electrodes 5 - 25 µm apart, depending on their size and shape, and on the required sensitivity. Typically all logic area and memory peripherals (e.g. address decoders) would be protected by the CSS. Optionally other circuits can be protected as well. In secure chips, the memory content typically is encrypted, and therefore doesn't necessarily need to be protected by the CSS, but it may be beneficial to protect address decoders, etc.
- The invention is of interest for encryption functions, as well as to protect a semiconductor device against tampering, i.e. attempts to obtain data stored in the semiconductor device, for example a smartcard or an RFID tag. Especially, when there is an encryption key stored in the semiconductor device a hacker may want to try to find the key in order to obtain the valid data.
- The physical structure in accordance with the invention may be advantageously applied (i.e. deposited) on top of an interconnect stack of a semiconductor device comprising an electronic circuit with secure data. Then, while trying to access the semiconductor device from the front-side the capacitance value is changed which affects the encryption key extracted . In other words, it has become very difficult to find the valid data stored in the semiconductor device.
- The invention may be applied in various application areas. For example, the invention may be applied in data security for smartcards, RFID tags, Pay-TV chips, and such like. Such chips often contain a secret security key (encryption key) and carry out secret functions. The encryption key may be advantageously extracted from the physical structure in the semiconductor device in accordance with the invention.
- The invention may also be used for securing communication with, for example, a mobile phone by an internal secure key. This may then be instead of identification via the SIM card which can easily be copied.
- The protected semiconductor device can take any known form.
- It is noted that the term "physically unclonable function" does not imply an absolutely non clonable feature. It simply means that the complexity of the physical structure is such that it is not feasible to physically replicate or computationally model the structure.
- It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage. Various modifications will be apparent to those skilled in the art.
Claims (15)
- A semiconductor device comprising a capacitive security shield, the capacitive security shield comprising:a set of randomly distributed dielectric or conducting particles (14) formed within a dielectric layer (12);a set of electrodes (16,18,20;30,32,34) formed in a layer over which the set of particles are formed; anda controller (52),
wherein the controller (52) is adapted to configure the electrodes as at least two sets, wherein a first set (16) is used to measure a capacitance characteristic, and a second set (18,20) is configured as a non-measurement set, wherein the controller is further adapted to reconfigure the electrodes into a different first and second set, and the reconfigured first set is used to measure a reconfigured capacitance characteristic. - A device as claimed in claim 1, wherein the second set comprises electrodes (18) which are grounded.
- A device as claimed in claim 1 or 2, wherein the second set comprises electrodes (20) which are at a floating potential.
- A device as claimed in any preceding claim, wherein the second set comprises electrodes which are applied with a modulation voltage.
- A device as claimed in claim 4, wherein the first set (16) comprises electrodes which are applied with a modulation voltage, and wherein electrodes of the second set have the same modulation signal.
- A device as claimed in claim 4 or 5, wherein the first set (16) comprises electrodes which are applied with a modulation voltage, and wherein electrodes of the second set electrodes have an inverse modulation signal.
- A device as claimed in any preceding claim, comprising a memory (50) which stores a sequence of different configurations of the electrodes.
- A device as claimed in any preceding claim, wherein the electrodes (16,18,20;30,32,34) have an area of 100 µm2 or less.
- A device as claimed in any preceding claim, wherein the particles (14) have a maximum linear dimension of less than 30µm.
- A card, secure chip or an RFID tag comprising a device as claimed in any preceding claim.
- A method of extracting data from a semiconductor device comprising which comprises a structure for use in a physically unclonable function, wherein the structure comprises a set of randomly distributed dielectric or conducting particles (14) formed within a dielectric layer (12) and a set of electrodes (16,18,20;30,32,34) formed in a layer over which the set of particles are formed,
wherein the method comprises:configuring the electrodes as at least two sets;measuring a capacitance characteristic using the first set (16), with the second set (18,20) configured as a non-measurement set;reconfiguring the electrodes as a different combination of the at least two sets;measuring a reconfigured capacitance characteristic using the first set (16) with the second set (18,20) configured as a non-measurement set. - A method as claimed in claim 11, comprising setting the voltage of electrodes of the second set to:ground; and/ora floating potential; and/ora modulation voltage or its inverse.
- A method as claimed in claim 12, comprising measuring a capacitance characteristic by applying a modulation voltage to the electrodes of the first set, and applying to the electrodes of the second set the same signal.
- A method as claimed in claim 12 or 13, comprising measuring a capacitance characteristic by applying a modulation voltage to the electrodes of the first set, and applying to the electrodes of the second set the opposite modulation signal.
- A method as claimed in any one of claims 11 to 14 for use in an authentication procedure.
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP13174078.9A EP2819049B1 (en) | 2013-06-27 | 2013-06-27 | Device with capacitive security shield |
US14/293,730 US9390295B2 (en) | 2013-06-27 | 2014-06-02 | Device with capacitive security shield |
CN201410290243.3A CN104252636B (en) | 2013-06-27 | 2014-06-25 | Device with capacitive security shield |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP13174078.9A EP2819049B1 (en) | 2013-06-27 | 2013-06-27 | Device with capacitive security shield |
Publications (2)
Publication Number | Publication Date |
---|---|
EP2819049A1 true EP2819049A1 (en) | 2014-12-31 |
EP2819049B1 EP2819049B1 (en) | 2015-11-18 |
Family
ID=48740896
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP13174078.9A Active EP2819049B1 (en) | 2013-06-27 | 2013-06-27 | Device with capacitive security shield |
Country Status (3)
Country | Link |
---|---|
US (1) | US9390295B2 (en) |
EP (1) | EP2819049B1 (en) |
CN (1) | CN104252636B (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3086473A1 (en) * | 2015-04-23 | 2016-10-26 | Nxp B.V. | Sensor circuit and method |
EP3193281A1 (en) * | 2016-01-15 | 2017-07-19 | Nxp B.V. | Electronic device |
EP3306517A1 (en) * | 2016-10-04 | 2018-04-11 | Nagravision S.A. | An active shield for detecting an intrusion on an integrated circuit |
EP3418936A1 (en) * | 2017-06-21 | 2018-12-26 | Commissariat à l'énergie atomique et aux énergies alternatives | Method for securing an integrated circuit during the production thereof using random connecting trakcs |
GB2567642A (en) * | 2017-10-17 | 2019-04-24 | Crypto Quantique Ltd | Unique identifiers based on quantum effects |
WO2019116032A1 (en) * | 2017-12-15 | 2019-06-20 | Ttp Plc | Physically unclonable function device |
EP3550466A1 (en) * | 2018-04-06 | 2019-10-09 | Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. | Puf-film and method for producing the same |
GB2587223A (en) * | 2019-09-19 | 2021-03-24 | Pragmatic Printing Ltd | Electronic device and associated method of manufacture |
US11411748B2 (en) | 2018-04-06 | 2022-08-09 | Fraunhofer-Gesellschaft Zur Foerderung Der Angewandten Forschung E.V. | PUF-film and method for producing the same |
US11586780B2 (en) | 2018-04-06 | 2023-02-21 | Fraunhofer-Gesellschaft Zur Foerderung Der Angewandten Forschung E.V. | PUF-film and method for producing the same |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3147830B1 (en) | 2015-09-23 | 2020-11-18 | Nxp B.V. | Protecting an integrated circuit |
CN106997843B (en) * | 2016-01-22 | 2020-05-01 | 中芯国际集成电路制造(上海)有限公司 | Semiconductor device safety authentication method |
DK3340213T3 (en) * | 2016-12-21 | 2020-06-08 | Merck Patent Gmbh | PUF-BASED COMPOSITION SAFETY LABELING TO COMBAT FORM |
WO2018183926A1 (en) * | 2017-03-31 | 2018-10-04 | Arizona Board Of Regents On Behalf Of Northern Arizona University | Securing distributed elements connected to a network with addressable physically unclonable functions |
US10622316B2 (en) | 2017-05-08 | 2020-04-14 | International Business Machines Corporation | Security arrangement for integrated circuits using microcapsules in dielectric layer |
CN109040853A (en) * | 2018-09-04 | 2018-12-18 | 国微集团(深圳)有限公司 | A kind of digital stream media fingerprints watermark protection method and device |
GB201908679D0 (en) | 2019-06-18 | 2019-07-31 | Ttp Plc | Environmentally dependent physically unclonable function device |
GB201908680D0 (en) | 2019-06-18 | 2019-07-31 | Ttp Plc | Temperature independent physically unclonable function device |
US11516028B2 (en) | 2019-12-24 | 2022-11-29 | CERA Licensing Limited | Temperature sensing physical unclonable function (PUF) authentication system |
GB201919297D0 (en) | 2019-12-24 | 2020-02-05 | Aronson Bill | Temperature sensing physical unclonable function (puf) authenication system |
US11860207B2 (en) | 2020-01-31 | 2024-01-02 | Hewlett-Packard Development Company, L.P. | Determining electric field distributions |
CN113000858B (en) * | 2021-02-07 | 2022-05-20 | 西安交通大学 | Graphene-high-entropy alloy composite material and selective laser melting preparation method thereof |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008152577A1 (en) * | 2007-06-14 | 2008-12-18 | Intrinsic Id Bv | Method and device for providing digital security |
WO2012122994A1 (en) * | 2011-03-11 | 2012-09-20 | Kreft Heinz | Off-line transfer of electronic tokens between peer-devices |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7663607B2 (en) * | 2004-05-06 | 2010-02-16 | Apple Inc. | Multipoint touchscreen |
US6760357B1 (en) * | 1998-04-14 | 2004-07-06 | Bandwidth9 | Vertical cavity apparatus with tunnel junction |
TW511398B (en) * | 2000-09-12 | 2002-11-21 | Tokyo Electron Ltd | Apparatus and method to control the uniformity of plasma by reducing radial loss |
FI115109B (en) * | 2003-01-22 | 2005-02-28 | Nokia Corp | An authentication arrangement and a mobile station comprising an authentication arrangement |
CN101421971A (en) * | 2006-04-11 | 2009-04-29 | 皇家飞利浦电子股份有限公司 | Attack detection with coating puf |
CN101617319B (en) * | 2007-02-20 | 2012-09-26 | Nxp股份有限公司 | Semiconductor device with backside tamper protection |
JP4493686B2 (en) * | 2007-09-27 | 2010-06-30 | 太陽誘電株式会社 | Capacitor and manufacturing method thereof |
EP2337263B1 (en) * | 2009-12-17 | 2020-02-12 | Nxp B.V. | Token comprising improved physical unclonable function |
-
2013
- 2013-06-27 EP EP13174078.9A patent/EP2819049B1/en active Active
-
2014
- 2014-06-02 US US14/293,730 patent/US9390295B2/en active Active
- 2014-06-25 CN CN201410290243.3A patent/CN104252636B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008152577A1 (en) * | 2007-06-14 | 2008-12-18 | Intrinsic Id Bv | Method and device for providing digital security |
WO2012122994A1 (en) * | 2011-03-11 | 2012-09-20 | Kreft Heinz | Off-line transfer of electronic tokens between peer-devices |
Non-Patent Citations (2)
Title |
---|
A-R SADEGHI ET AL: "Reconfigurable Physical Unclonable Functions - Enabling technology for tamper-resistant storage", HARDWARE-ORIENTED SECURITY AND TRUST, 2009. HOST '09. IEEE INTERNATIONAL WORKSHOP ON, IEEE, PISCATAWAY, NJ, USA, 27 July 2009 (2009-07-27), pages 22 - 29, XP031520804, ISBN: 978-1-4244-4805-0 * |
PAPPU: "Physical One-Way Functions", March 2001, MIT |
Cited By (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3086473A1 (en) * | 2015-04-23 | 2016-10-26 | Nxp B.V. | Sensor circuit and method |
US10119839B2 (en) | 2015-04-23 | 2018-11-06 | Nxp B.V. | Sensor circuit and method |
EP3193281A1 (en) * | 2016-01-15 | 2017-07-19 | Nxp B.V. | Electronic device |
CN106981465A (en) * | 2016-01-15 | 2017-07-25 | 恩智浦有限公司 | Electronic installation |
CN106981465B (en) * | 2016-01-15 | 2022-02-18 | 恩智浦有限公司 | Electronic device |
US10325120B2 (en) | 2016-01-15 | 2019-06-18 | Nxp B.V. | Electronic device |
EP3306517A1 (en) * | 2016-10-04 | 2018-04-11 | Nagravision S.A. | An active shield for detecting an intrusion on an integrated circuit |
WO2018065394A1 (en) * | 2016-10-04 | 2018-04-12 | Nagravision S.A. | An active shield for detecting an intrusion on an integrated circuit |
US10891402B2 (en) | 2016-10-04 | 2021-01-12 | Nagravision S.A. | Active shield for detecting an intrusion on an integrated circuit |
EP3418936A1 (en) * | 2017-06-21 | 2018-12-26 | Commissariat à l'énergie atomique et aux énergies alternatives | Method for securing an integrated circuit during the production thereof using random connecting trakcs |
FR3068150A1 (en) * | 2017-06-21 | 2018-12-28 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | METHOD FOR CONSTRUCTIVELY SECURING AN INTEGRATED CIRCUIT DURING ITS ACHIEVEMENT |
US11038701B2 (en) | 2017-06-21 | 2021-06-15 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | Method for securing an integrated circuit during fabrication |
GB2567642B (en) * | 2017-10-17 | 2020-08-26 | Crypto Quantique Ltd | Unique identifiers based on quantum effects |
GB2567642A (en) * | 2017-10-17 | 2019-04-24 | Crypto Quantique Ltd | Unique identifiers based on quantum effects |
US11621840B2 (en) | 2017-10-17 | 2023-04-04 | Crypto Quantique Limited | Unique identifiers based on quantum effects |
WO2019116032A1 (en) * | 2017-12-15 | 2019-06-20 | Ttp Plc | Physically unclonable function device |
US11469910B2 (en) | 2017-12-15 | 2022-10-11 | Ttp Plc | Physically unclonable function device |
EP3550466A1 (en) * | 2018-04-06 | 2019-10-09 | Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. | Puf-film and method for producing the same |
US11301593B2 (en) | 2018-04-06 | 2022-04-12 | Fraunhofer-Gesellschaft Zur Foerderung Der Angewandten Forschung E.V. | PUF-film and method for producing the same |
US11411748B2 (en) | 2018-04-06 | 2022-08-09 | Fraunhofer-Gesellschaft Zur Foerderung Der Angewandten Forschung E.V. | PUF-film and method for producing the same |
US11586780B2 (en) | 2018-04-06 | 2023-02-21 | Fraunhofer-Gesellschaft Zur Foerderung Der Angewandten Forschung E.V. | PUF-film and method for producing the same |
US11889004B2 (en) | 2018-04-06 | 2024-01-30 | Fraunhofer-Gesellschaft Zur Foerderung Der Angewandten Forschung E.V. | PUF-film and method for producing the same |
GB2587223A (en) * | 2019-09-19 | 2021-03-24 | Pragmatic Printing Ltd | Electronic device and associated method of manufacture |
GB2587223B (en) * | 2019-09-19 | 2023-07-19 | Pragmatic Printing Ltd | Electronic device and associated method of manufacture |
Also Published As
Publication number | Publication date |
---|---|
US9390295B2 (en) | 2016-07-12 |
CN104252636A (en) | 2014-12-31 |
CN104252636B (en) | 2017-04-12 |
US20150007353A1 (en) | 2015-01-01 |
EP2819049B1 (en) | 2015-11-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2819049B1 (en) | Device with capacitive security shield | |
Nedospasov et al. | Invasive PUF analysis | |
Rahman et al. | Physical inspection & attacks: New frontier in hardware security | |
Helfmeier et al. | Cloning physically unclonable functions | |
US20090065591A1 (en) | Smart-card chip arrangement | |
US9509306B2 (en) | Tamper resistant IC | |
JP2016105278A (en) | Nonvolatile memory device having tamper-resistance, and integrated circuit card | |
US11295003B2 (en) | Generating a unique response to a challenge | |
CN101421971A (en) | Attack detection with coating puf | |
JP2017028354A (en) | Electronic device network and chip authentication system | |
van der Leest et al. | Hardware intrinsic security to protect value in the mobile market | |
CN108986857A (en) | Integrated circuit and its method with anti-tampering protection | |
US20200186368A1 (en) | Generating a nondeterministic response to a challenge | |
Koeberl et al. | Evaluation of a PUF Device Authentication Scheme on a Discrete 0.13 um SRAM | |
Yang et al. | An RFID-based technology for electronic component and system counterfeit detection and traceability | |
US20230030739A1 (en) | Physically unclonable function device | |
Biswas et al. | On backside probing techniques and their emerging security threats | |
Neve et al. | Memories: A survey of their secure uses in smart cards | |
Kim et al. | Predictive analysis of 3D ReRAM-based PUF for securing the Internet of Things | |
US11195582B2 (en) | Non-volatile memory device and method of writing to non-volatile memory device | |
Liao et al. | The cell dependency analysis on learning sram power-up states | |
Biswas et al. | Emerging nonvolatile memories—an assessment of vulnerability to probing attacks | |
Biba et al. | Measurement setup for physical unclonable functions | |
Pavlina et al. | Characterizing EEPROM for usage as a ubiquitous PUF source | |
Rajan et al. | Low power physical layer security solutions for IoT devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20131031 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
INTG | Intention to grant announced |
Effective date: 20150316 |
|
RBV | Designated contracting states (corrected) |
Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
INTG | Intention to grant announced |
Effective date: 20151001 |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: EP |
|
REG | Reference to a national code |
Ref country code: AT Ref legal event code: REF Ref document number: 761876 Country of ref document: AT Kind code of ref document: T Effective date: 20151215 |
|
REG | Reference to a national code |
Ref country code: IE Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R096 Ref document number: 602013003828 Country of ref document: DE |
|
REG | Reference to a national code |
Ref country code: NL Ref legal event code: MP Effective date: 20160218 |
|
REG | Reference to a national code |
Ref country code: LT Ref legal event code: MG4D |
|
REG | Reference to a national code |
Ref country code: AT Ref legal event code: MK05 Ref document number: 761876 Country of ref document: AT Kind code of ref document: T Effective date: 20151118 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: HR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 Ref country code: IT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 Ref country code: ES Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 Ref country code: IS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160318 Ref country code: NL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 Ref country code: NO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160218 Ref country code: LT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 |
|
REG | Reference to a national code |
Ref country code: FR Ref legal event code: PLFP Year of fee payment: 4 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: GR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160219 Ref country code: AT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 Ref country code: PT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160318 Ref country code: SE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 Ref country code: PL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 Ref country code: FI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 Ref country code: RS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 Ref country code: LV Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: CZ Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R097 Ref document number: 602013003828 Country of ref document: DE |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: DK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 Ref country code: SK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 Ref country code: RO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 Ref country code: SM Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 Ref country code: EE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 |
|
PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |
|
26N | No opposition filed |
Effective date: 20160819 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: SI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: BE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MC Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: PL |
|
REG | Reference to a national code |
Ref country code: IE Ref legal event code: MM4A |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LI Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20160630 Ref country code: CH Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20160630 |
|
REG | Reference to a national code |
Ref country code: FR Ref legal event code: PLFP Year of fee payment: 5 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20160627 |
|
REG | Reference to a national code |
Ref country code: FR Ref legal event code: PLFP Year of fee payment: 6 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: HU Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO Effective date: 20130627 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MT Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20160630 Ref country code: LU Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20160627 Ref country code: MK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 Ref country code: CY Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: BG Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: AL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 Ref country code: TR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20151118 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: FR Payment date: 20190522 Year of fee payment: 7 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: GB Payment date: 20190522 Year of fee payment: 7 |
|
GBPC | Gb: european patent ceased through non-payment of renewal fee |
Effective date: 20200627 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: GB Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20200627 Ref country code: FR Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20200630 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: DE Payment date: 20230523 Year of fee payment: 11 |
|
P01 | Opt-out of the competence of the unified patent court (upc) registered |
Effective date: 20230725 |